diff options
| author | Nick Mathewson <nickm@torproject.org> | 2016-05-25 09:27:35 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-05-25 09:27:35 -0400 |
| commit | b5e2b3844ab3a1c9fe42d0c83e3e95705dee2900 (patch) | |
| tree | 822820461abf92e19b4b3e5b01a72f26e19334de | |
| parent | 0f80dd2a26333ee78a9698b4d3cf8079736f34b5 (diff) | |
| parent | fdfc528f85c11a1d29b6a67e32180278d1ca7cbb (diff) | |
| download | tor-b5e2b3844ab3a1c9fe42d0c83e3e95705dee2900.tar.gz tor-b5e2b3844ab3a1c9fe42d0c83e3e95705dee2900.zip | |
cMerge branch 'maint-0.2.8' into release-0.2.8
| -rw-r--r-- | changes/memarea_overflow | 7 | ||||
| -rw-r--r-- | changes/rsa_init_bug | 7 | ||||
| -rw-r--r-- | src/common/crypto.c | 4 | ||||
| -rw-r--r-- | src/common/memarea.c | 8 |
4 files changed, 22 insertions, 4 deletions
diff --git a/changes/memarea_overflow b/changes/memarea_overflow new file mode 100644 index 0000000000..8fdc38cc09 --- /dev/null +++ b/changes/memarea_overflow @@ -0,0 +1,7 @@ + o Minor bugfixes (pointer arithmetic): + - Fix a bug in memarea_alloc() that could have resulted in remote heap + write access, if Tor had ever passed an unchecked size to + memarea_alloc(). Fortunately, all the sizes we pass to memarea_alloc() + are pre-checked to be less than 128 kilobytes. Fixes bug 19150; bugfix + on 0.2.1.1-alpha. Bug found by Guido Vranken. + diff --git a/changes/rsa_init_bug b/changes/rsa_init_bug new file mode 100644 index 0000000000..6b5fb4f2f9 --- /dev/null +++ b/changes/rsa_init_bug @@ -0,0 +1,7 @@ + o Major bugfixes (key management): + - If OpenSSL fails to generate an RSA key, do not retain a dangling pointer + to the previous (uninitialized) key value. The impact here should be + limited to a difficult-to-trigger crash, if OpenSSL is running an + engine that makes key generation failures possible, or if OpenSSL runs + out of memory. Fixes bug 19152; bugfix on 0.2.1.10-alpha. Found by + Yuan Jochen Kang, Suman Jana, and Baishakhi Ray. diff --git a/src/common/crypto.c b/src/common/crypto.c index d2a42698cb..933f1033f7 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -585,8 +585,10 @@ MOCK_IMPL(int, { tor_assert(env); - if (env->key) + if (env->key) { RSA_free(env->key); + env->key = NULL; + } { BIGNUM *e = BN_new(); diff --git a/src/common/memarea.c b/src/common/memarea.c index 0a3fd009b0..173ed4e1cb 100644 --- a/src/common/memarea.c +++ b/src/common/memarea.c @@ -83,8 +83,7 @@ typedef struct memarea_chunk_t { struct memarea_chunk_t *next_chunk; size_t mem_size; /**< How much RAM is available in mem, total? */ char *next_mem; /**< Next position in mem to allocate data at. If it's - * greater than or equal to mem+mem_size, this chunk is - * full. */ + * equal to mem+mem_size, this chunk is full. */ #ifdef USE_ALIGNED_ATTRIBUTE /** Actual content of the memory chunk. */ char mem[FLEXIBLE_ARRAY_MEMBER] __attribute__((aligned(MEMAREA_ALIGN))); @@ -205,7 +204,10 @@ memarea_alloc(memarea_t *area, size_t sz) tor_assert(sz < SIZE_T_CEILING); if (sz == 0) sz = 1; - if (chunk->next_mem+sz > chunk->U_MEM+chunk->mem_size) { + tor_assert(chunk->next_mem <= chunk->U_MEM + chunk->mem_size); + const size_t space_remaining = + (chunk->U_MEM + chunk->mem_size) - chunk->next_mem; + if (sz > space_remaining) { if (sz+CHUNK_HEADER_SIZE >= CHUNK_SIZE) { /* This allocation is too big. Stick it in a special chunk, and put * that chunk second in the list. */ |